Ping inside interface of ASA accross a VPN tunnel.

October 14, 2010 at 12:15 pm (TechTips) (, )

Do you need to ping the inside interface of a ASA across a VPN tunnel?
Maybe you need to do this for monitoring purposes, or whatever.

Allow access of ICMP to the inside interface:
icmp permit host 192.168.1.10 inside

Monitoring station —> 192.168.1.10
Inside interface —> inside

Permalink 2 Comments

Notes on ASA 8.3 NAT

October 13, 2010 at 11:19 am (TechTips) (, )

Cisco ASA 8.3 has introduced major changes in how NAT is configured and operates.

This video is a excellent resource for a basic introduction to NAT on ASA 8.3 software:

https://supportforums.cisco.com/docs/DOC-12324

Here are some quick notes that I have gathered for my reference.  Feel free to post any additional comments and notes you may have to share:

COMMANDS

show run objects

(Displays network and service objects that are in the running confg)

show run object id

(Displays a specific object)

show run nat

(Displays running config NAT configurations)

show nat

(Displays NAT policies and counters)

Use packet-tracer for testing NAT (and other things)

packet-tracer input inside tcp 10.0.0.40 4444 198.133.219.25 80

    Configure Auto-NAT:

object network inside
   subnet 192.168.1.0 255.255.255.0
   nat (inside,outside) dynamic interface

Note: This will configure PAT onto the outside interface for the inside subnet, while at the same time configuring the network object for the inside subnet.

    Configure Twice(manual) NAT:
nat (inside,outside) source dynamic inside-net translated-ip destination static cisco-dot-com cisco-dot-com

Note: You must first define the network objects for the source and destination before configuring manual NAT. In this example, the source IP address of the inside host is translated to “translated-ip” only when the dynamic host is sending a packet that is destined to “cisco-dot-com”. cisco-dot-com is entered twice because we are not translating the destination. If we wanted to translate the destination, we would do it here.

    Exempt subnets from NAT because of VPN tunnel:
nat (inside,outside) static inside-net inside-net destination static vpn-subnets vpn-subnets

This statement will catch traffic on the inside trying to go to the outside. Traffic that matches the source and destination is operated on but no change is made.

    General Notes:

ASA 8.3 has two types of NAT: Auto-NAT and Twice (manual) NAT. You can use Auto-NAT for most NAT/PAT operations, except for ones that need to make a decision based upon the destination address of a packet.

With ASA 8.3, a new change called “Real IP” was introduced. Real IP means that NAT translation happens BEFORE a ACL is checked. Therefore ACLs must contain the real IP address of the host that the inbound packet is headed towards. In other words, do not write the ACL to match on the “mapped” IP address. The real IP address is normally a non-routable IP address.

Permalink 2 Comments

Quickly turn a CD/DVD into a .iso

August 31, 2010 at 9:07 am (Uncategorized) ()

dd if=/dev/sr0 of=/tmp/your-iso.iso

For other great tips see:
http://www.granneman.com/techinfo/linux/burningcds/makeanisoimage.htm

Permalink Leave a Comment

Good Bye Virtual Iron

July 28, 2010 at 10:59 am (Uncategorized) (, )

Well, we are working feverishly to migrate all of our Linux and Windows servers off of our old trusty Virtual Iron cluster to our shiny new VMWare ESX cluster.

Good Bye Virtual Iron, I’ll miss you. Let’s remember how Virtual Iron was eaten alive by the Oracle Monster.

Permalink Leave a Comment

Access console port on a Cisco Aironet 1200 Series

June 23, 2010 at 9:40 am (Uncategorized) (, )

You need the following serial settings to access the console port on a Cisco Aitonet 1200 Series AP.

9600 baud
8N1
Hardware Flow Control = OFF
Software Flow Control = OFF

Tip:
If you can see output from the console, but your keystrokes are ignored; check the flow control settings.

Permalink Leave a Comment

Getting err-disable when trying to bring up EtherChannel.

June 21, 2010 at 11:51 am (Technology, TechTips, Uncategorized) (, , )

Recently I was trying to bring up a EtherChannel connection between a Catalyst 3750 and a Catalyst 4507.

I was going to join 4 ports together.  One from each of the first 4 blades on the 4507.  It is good to use several blades to protect against a blade failure.

However, when I went to bring up the bundle using LACP, within seconds all bundled ports were shut down and this logging message popped up:

%PM-4-ERR_DISABLE: channel-misconfig (STP) error detect on GigabitEthernet1/0/45.

I was really stumped as to what was causing this.  Google searching did not really return any clear answers.

The message was stating that there error was somehow related to Spanning Tree Protocol.  I turned on all Spanning Tree debugs and re-enabled just the first port again, but the debugs didn’t show anything unusual happening.  What was interesting is that this error was only occurring on the 3750, no errors were showing up on the 4507.  I double checked the STP root bridge priorities, etc.

I started to comb the running-config with a fine toothed comb on the 3750.  It was then that I noticed this config towards the top:

spanning-tree etherchannel guard misconfig

This config intrigued me.  I had not noticed it before and I was unclear as to what it might do.  I no’d out the command and again tried to bring up just the first interface in the bundle.  No cigar, same epic fail.  At this point, I saved the config (write me) and reloaded the switch.  Once the switch was back up, I again tried to bring the the bundle members, but in reverse order, starting with gi1/0/48 and moving towards gi1/0/45.  One by one, they were each able to join the bundle.  Finally, I went to  bring up the last interface, gi1/0/45.  It came up, however the command show etherchannel 2 summary showed that it was in the waiting state.  This is indicated by state w.  It seemed to stay in waiting for about a minute until it changed to I.  The status I indicates that the port is individual and not part of the bundle.

I thought that it was strange for gi1/0/45 to go to individual mode.  I then traced the cabling from gi1/0/45 on the 3750 to fa3/3 on the 4507.  “Now just you wait a sec!”  I found that I had accidentally cabled to port fa3/5 instead.  This was the wrong port and was not configured to be part of the etherchannel.

Wow, so

spanning-tree etherchannel guard misconfig

Was trying to tell me that I had a mis-cabled port!  That’s pretty sweet.  I did a quick google search on the command and found that essentially it allows EtherChannel to use STP to attempt to find misconfigurations (including messed up cabling).

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/stp_enha.html#wp1029499

This story has two morals:

1) Definitely configure STP etherchannel guard misconfig.  That command is just another of those that will watch your back.  You just gotta love those commands.

2) If your ports are going err-diable and your getting that odd STP misconfig error.  Remember to go check your cabling and which ports are config’d.

Happy Routing!

Permalink 3 Comments

How to verify that mod_security is working.

June 9, 2010 at 2:40 pm (Uncategorized) ()

Did you just install mod_security or restart apache?

Do you want to make sure that mod_security is working? Well, if you have installed the CRS, then you are in luck! Here is a simple way to test operation.

First, set up a tail -f on whatever file you have mod_security logging violations/alerts to.

Next, from another linux box that has wget installed, run this command:
wget -O – -U “webtrends security analyzer” https://rp.vitamix.com

Finally, back in the audit log, you should see an alert logged. This is because the user agent “webtrends securiy analyzer” is blocked by CRS.

Permalink 5 Comments

IRC channel for RHEV chat and un-official support

May 28, 2010 at 11:35 am (linux, TechTips, Uncategorized) (, )

Do you work with Red Hat Enterprise Virtualization or interested in it?

Why not head on over to the unofficial IRC channel for all things RHEV?

There’s a great group of people hanging out there that can try to offer assistance and great insights.

We can be found at: chat.freenode.net  #rhev

Hope to see you there!

NOTE: This IRC channel is in no way officially related to Red Hat, Inc.

Permalink 2 Comments

Which Remote Access Cards are supported by RHEV.

May 27, 2010 at 1:59 pm (Uncategorized) (, , , )

Here is a handy matrix I found, that shows which Remote Access Card interfaces are supported by RHEL and RHEV

http://kbase.redhat.com/faq/docs/DOC-30003

Permalink Leave a Comment

Trying to configure Power Management on RHEV?

May 27, 2010 at 1:58 pm (Uncategorized) (, )

Are you trying to configure Power Management on Red Hat Enterprise Virtualization? Does the test keep failing?

Leave the Port menu box empty. The port box is only used with IBM Blade Center.
Here is the KB article that describes this:
http://kbase.redhat.com/faq/docs/DOC-23648

Another KB matrix on fencing:

http://kbase.redhat.com/faq/docs/DOC-30004

Tip:

When using drac6 RAC interface, select: ipmilan.

Permalink 1 Comment

« Previous page · Next page »